1573a03279d54ebce66b91825a6cdab0a123792c7c77077e9edbc64eb5078a3f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Size

1.3MB
MD5

8a586a05ecf91b8874351731012d18ff
SHA1

af1e1fdc40e98cc82a4c73060407b7c072a3a6dc
SHA256

1573a03279d54ebce66b91825a6cdab0a123792c7c77077e9edbc64eb5078a3f
SHA512

72acdfec4247006959ea16fe022f73663db1ab947c37a7974f1510143cab8daaa84a20ea2956b7377e1c2f0ab400405f4523050c357873a014f5f9dd0ba69702
SSDEEP

12288:GtOw6BaTMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:46BvSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4916	alg.exe
4880	DiagnosticsHub.StandardCollector.Service.exe
1560	fxssvc.exe
3444	elevation_service.exe
3944	elevation_service.exe
3552	maintenanceservice.exe
3640	msdtc.exe
2860	OSE.EXE
3724	PerceptionSimulationService.exe
4076	perfhost.exe
4020	locator.exe
5068	SensorDataService.exe
1772	snmptrap.exe
3888	spectrum.exe
708	ssh-agent.exe
4484	TieringEngineService.exe
936	AgentService.exe
4116	vds.exe
4924	vssvc.exe
1960	wbengine.exe
4520	WmiApSrv.exe
3948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\accd3eb4352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000893b39a407ebda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792eaaa307ebda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf751a307ebda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058bc56a307ebda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016954fa307ebda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d61e59a307ebda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecaa24a307ebda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeAuditPrivilege	1560	fxssvc.exe
Token: SeRestorePrivilege	4484	TieringEngineService.exe
Token: SeManageVolumePrivilege	4484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	936	AgentService.exe
Token: SeBackupPrivilege	4924	vssvc.exe
Token: SeRestorePrivilege	4924	vssvc.exe
Token: SeAuditPrivilege	4924	vssvc.exe
Token: SeBackupPrivilege	1960	wbengine.exe
Token: SeRestorePrivilege	1960	wbengine.exe
Token: SeSecurityPrivilege	1960	wbengine.exe
Token: 33	3948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeDebugPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Token: SeDebugPrivilege	4916	alg.exe
Token: SeDebugPrivilege	4916	alg.exe
Token: SeDebugPrivilege	4916	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 636	3948	SearchIndexer.exe	111
PID 3948 wrote to memory of 636	3948	SearchIndexer.exe	111
PID 3948 wrote to memory of 2792	3948	SearchIndexer.exe	112
PID 3948 wrote to memory of 2792	3948	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
71983268d5c990adec98dd5c13d16aaa

SHA1
e53b9ba88ea15aca0a19b930b94d13a9b5c76cb4

SHA256
436f0b78a616c2c92ad7ccc7a3be0d208725083593143bd935e9971b6ee50d09

SHA512
f8ce1e976e9b4f88b76850475dbf6c1d7e2318ae5e8e3045d49efc61b7fc44d822da53830854106637beae70360f211633d245a6b8b770baac22b594510ea345

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ac6c7e19dc14268a0889bf393f69cb45

SHA1
959f5280f7ee28849652acb1c4e6214a42fcf115

SHA256
a9491eec58b0f3931be8be90f31fb8573d3659df48db27896cb9f026215448ee

SHA512
c12bdf8d8a97bf4667da294d72ce8475d2f7641c9ab1cb562f508c028889966ec46782e613ebc2fb08c3fa8da7303b84012cdff3cf5a84c94ec542cbd99b2552

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
41d363cb5fd51b682fe35b92b3729a7e

SHA1
b67752bf09a86198cd999a0f3d08530c8a79cc52

SHA256
0774543b3126bd7147acd8c3e03a3dd0635b91806adee437a361bb8b06b708bd

SHA512
e8715863ec5b4934a69aa9e309416a84139e2920fe32919e8e1be4e36ee65af3b931a6f736f97e67d8226f6f802669cabe54068d0ed603fb489edaf2a308eda1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fa6e250b3f8f3f0edfd4960ed09398bd

SHA1
a2dab2e14bf135cc5fcdd81854c1b366016959ca

SHA256
9f0fd1d3b1d93ed810004ae942391fcffc6f2e5a062966601889e1271e69b685

SHA512
fad9998eea57e5744f550d0be10ee55e1c632cbdf071efae7ee76ac7748cd906f85d6d302609c87230633c3bcefd27805f4b089599b1cafbe57f70a176716280

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
65ab96b6c731759ee9054d30d247a772

SHA1
4baad85229550209b8f86a11d8584c0203845b7a

SHA256
e1ee77fc27b5c19de2f2665531a6e21b5ad5562d6f1cdec674e1aa7776c880db

SHA512
5e21a63a239f7ef0c0229d74d0a93e49fcdbf35d03fc8280af2809cfba319e95c25850f8b5c09d7617ae94be558244fc77d70ea60987caa1273f2bb99b226ac7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3749f52a66ac24d2dea4d404494669b3

SHA1
274d96e790452b931b8e11f6ae12b6f013042922

SHA256
5b1a7fff4e21045b4d7d360021f3a04739912c9438518f79173cd434cbd78462

SHA512
c3e7159121210d7c723f094143b11608fd3c1209044b16a42334c09b5109ab5c55c2c70bef91f6f3a35ef44020c89e089d47b5bd263f04a2bbcc40534012c40b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ae02ba56a73f73f03e8e6ae02ba87737

SHA1
fc97f55297546e83126e99d002c226b85d0d4d78

SHA256
b9ab6221a6ef93b9c3429bd2ec83ccc32313554bfead71a1ec32581048db538b

SHA512
caae1f7bc30460f46874f6a430dd4ee06f096d323f8f15c62645791e1198bd331ff00bacf7ada9d9ed7f24b6ac77ed59c3790b16fcd61cb23992fd5516c0c057

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee856db40f414b32782c0f8fc09a9e14

SHA1
f488fccef53a9ba271a5130c79f479c98d7194cb

SHA256
e5097be2ecdd25a46e4504b7d3a333872bf76b7c884c6634030326372883a8e1

SHA512
9bb7bae7f7f2cbab7d5b7993673e907841d24b5f148e9fb147b2ee7539d11a977fc2f76f465f05919bd89a86682dce19fd6e3b29b92f762cf1e7d41cf1b0feb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9a4369f58294139cb0114d6245790e27

SHA1
f85e1787a717c672cb35abb9dd99f5fa44e5b866

SHA256
35a87dd1dd0ba99c30c137cb9ed9d97281f31d58d56eb581680b694a9a245eea

SHA512
37f5da562bbca52c579061d681c893645fcae506343bb881fe142430f37407fe66e974fb8db030194174be0871af1dc7d43011e2b6798957947b57a3d403cdba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c2b03f4acff167266f3b66abfdf7fa95

SHA1
623f3cb78a53f459ccbab65f5372ff62cdc3ecc1

SHA256
6e96c347d0e844dfb99fe3d65208fff481aed1b49d70a792670d00aad8a5ae10

SHA512
b908b7d66945da09e90a0bb9891dca9e52c1df9233672183701c5fac71d0ff459bd806b9fa662b67a8c93535d51320877ebd0821d82669535c333ea4230ca2de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
572107781ad3dd31c2712151c1704cd8

SHA1
d6d4acf1775da03e5e96b0c52c1e1219f695ec1d

SHA256
75b3eef5c5dba0358144f33f39ecff8ebbbdd96e39c761cdc191c0222d46194b

SHA512
1a6183fe4683c19b1d7fb2c3205d6b6674b706aa26ab9824b6cc7622090058a4972276129db54c1d4ef54ec2439e682706c5bb123f70f6eacdb1c3666a0a1e1f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d6fb66bf02150c1723f0969cf1806d19

SHA1
4d21a1c45624129cea5f544a5cd464a6ae8a094e

SHA256
e528542ee2c130c778c572e216bf2863d8ee716e45ae7b40473641a4a60d9f74

SHA512
18883bf4150fe6f1a4d26f95ebb1f6521e6c7336858c44ac776bfa59a4070205688a921d83ceb6e34ee4e33045ebd66ca26f470436b7b3f8be88682f8b26a0a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cfb1f164aae191efb6f6d845ccea1f9a

SHA1
8a4c55df700bd7afa031c70ba6ec85969425313a

SHA256
30fd188179fa069364b277ead8dee5a1ad317eaba586427309a9e45a60b43fc7

SHA512
4af0367bc715ef059f5cfa2c8d3fe83f04f2fd169d8f55a401753ccbc104671564d5ff79e08b2685ce57ba4d6e795cd0fa6f15340c0e4a08b070405ebd36b34d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
523e8e9f1714d6d87dd866477a46f1ab

SHA1
6befe906461518f5f877ce4d8485582ac1c74ccb

SHA256
a115c25a1fa464d6a95f3a6db0985a76d9438782942aed74558d9d5843130fbb

SHA512
c253fc1a755f28f34d3a752bf6b0e6a2263437a662fffddaaf767e70c2c5a1d261fe374ddf8fd7288a663c4ce3d9b482c5755adfd8741854bade7a0b1b515e87

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
183b161505d97f276e4da8fa37267108

SHA1
1458ebb20e8855b21aa524ee9f9ec6e88e1c7245

SHA256
341ed7c09b64aac9a3717252892ef3ff930c7164b04d53343cb3bb07948d4943

SHA512
8f18d5112cb5d5cb4d749282d23dcba444ac085df5ec0759b6005787bf91d887e77323e48e8e22c90a0297e1244669cfc67b760666ed60065f397cbd63af5f69

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
370a783749e9a366e6125272ce21bcb7

SHA1
019ae15117efdeba99a4531465e0abf6fe3340ca

SHA256
bf7db27fe54cc77adab540f0db82dfacd4191d0ee788c233787b39a29dea69a1

SHA512
5f7c2721e7f89239dc8e34bef44d07bb158189388f123374520e303856f5878e1a4bc5c7bb08d273d5584c57458d556f9db863c6459ec36a98c8dd063db3e2d6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ef284fc6056dbfc7b51429402e97ceaf

SHA1
ee8e78e3570a599085de9b756b1b105cc711f43c

SHA256
82e61a1d064090b619e79d329cd540696672634296544905f0af481e6508ae56

SHA512
b0d7f6d0a498ccfb5f4c4d2dbf0b2e46b012f4ca7b227e9f35506799fe6d44759a79391079ca71bfbf08d1cfe95f23ede71df74d0cd1a362dc36c7463ab3d213

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
36e4a87df2ac9fb0f452fa815bf3ff5d

SHA1
0465f5acef942b3cacdca88dc5af459828aabcf2

SHA256
27c441fc9e5f7de528775289d683d68984bd3d5ebcaa25b4580bc249269386f4

SHA512
af711eedd83cf87baf3faee9f75a784ee9d7fbd67a6d7645b2da756735c23c98aeb666e2adfe564c2bec38352b6b46a05d2601def6480aa88556aa93840736a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
959a656fa5cf39ce0b7afa9580fe5c5e

SHA1
22d3e07d0264c4252add529ba2d80a0fbfe6cc91

SHA256
3c3f05adf72b5251d333dd1925c5af0607cf576c231cb03ba56a638af2ef2662

SHA512
369c88e9d59a965c56bc18dfaf0080c10279f8850f72279d9673987bccd97aa0c17b5bf76126f80318c56a0e8ccb9fd9eae92ecb4dbd0521bd9ca02c61ace637

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6da7f1e591dadb71e9ae430e1887e2c4

SHA1
21b3da58c4158b42a83e7e3b49ffe258a4a42685

SHA256
6f8f32ac51cd7a0db92d5adabad2a23db82c8c96d97acad4959c58da8bbeff66

SHA512
2dfa54c49afc86cb16228e016b5d7ded5f5be008ee9a927314c20322317bb2248e2ada1b9419928b638b7e0052a5b83e85951cc14c50ae00c2f5704614207d8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b9cbc0864e2c8a507e0a79259c24380d

SHA1
ef22585e326671a23bbdca5dfb93e60c6b24c3e5

SHA256
b4b076188f6a4728135b2d0f1ab615d09af246a47a289006c72945dbcdea9172

SHA512
823caaa46b528b95079a2b46af618fe17691f4377825e4932d5ca994e792343352942e5dcb49e30a2c861b6cc11ca3a98c6d22159c0f4763050f3d6e23c07414

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
544ad4dac9926ae2fa474e60f6eaec30

SHA1
78822262ccecf228aa960b348087ce39eb1de482

SHA256
c26102371ee06bcac753a0a78604042f635bd4650eceb49ca5bfe91e3c77f266

SHA512
5eeaa78261e77a2b05b774a19bf7fa143ef3ff97bd57208d7489571cfd485e1cb51eb3f0956a0b7df459916a4384659633bdc54f5ad83ac8886b81770c0513b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
404a8fdcb7569956cb0fca03a59ed72b

SHA1
2eac7aad200e12e11a90657bbe6cd905f0e0fa9c

SHA256
8ffcc9deb6a23ab2fc962cd7f477f9f8764834c08f6214c5b50ff1b5878697b2

SHA512
d1caeaf8d378b9460a35f1d1586a95f8cfbb5c0423430b614f08ad7f9b636c9f48e7a51ffba0dca633818b1de54e12d695830ad48ad18f4177b9999ac124a740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d31efc03c2e5369716ae3d7fc38dd87c

SHA1
5eb989feeac7932e38d385c9e4a9b40d87991904

SHA256
23d2a4ec9d1908af18bb4dbe036e2f7859d37bc3e848f739a5b5369b37913cc2

SHA512
0a9e207ee19aff8d3c4f7908b574a77712511f8f1b18cec1a034b958f9d2931225ce3df46a26e37b994f2471160087cb8e1b3e7c1a65b6d86d532fb4a67cb127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0996afb017be12609c93ce09b7ac06c1

SHA1
95c9b1bedc70bd76690b71cc96fca00c6cef9b14

SHA256
fc87b949f240567da2c838e136dfc0de1437113b32140468e5a83936bebcfc24

SHA512
7019525d0c40f85daa34be4bd59507345a1d5583a4be9fdeb9d230f7950eb55d1d71b9abaaf90491c0226df0768795986dc2fba18e14074e54442bcccd6b88b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
18ef095d023db1b12bbb45b26d96c32a

SHA1
62c54a006b41688731d4233ff8f195f3b66393c2

SHA256
3a3b4b698592c56d0e538b26f23f082078a5e507127e11407946a27a8db2e67d

SHA512
7d798375c9018812e4bdb99dcce8567da154b4bf32417caa2c0f60427d4374b0b848ac975128eeeea43eafe505a94453b725038970f6223bd6348d635e309be9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
28396a5f4cf1309a251ad441dc5a90e0

SHA1
1d0269ea9fd506782eacf378f79f6c7688ea167f

SHA256
1160e745f784402f6c1c54fff50a339ea792f705b72e61257705d458c80b21f6

SHA512
dd02f81534deddb681c9f2d8b50a9dc685f07eeb4d508d69d8b844fe717bbb45c4b721f8f7e8bed24cf04b1ba42e9136fd3eda0573329f813d19d5d9743f504e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
652882cd14258cd392ef39c9534fcfc2

SHA1
7a198457c47f9db91496cb272f219feab85bc2bb

SHA256
cd0b701d5f14ad193b066f29983179d6e8d62dad0b0045d3a1bcdf7d8b330433

SHA512
73a83237f7bb5bc1e11c0e2ee4d64015c1c24c8fbb5e48992840e59eafa3e63fa86dd239a82c856e36cf64574245cb41f39f35d37442117c14e39f6010a5bf44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1f156fa5ab0693288b6e8999758c9c50

SHA1
8c100bbc6828b5ebf25416eb5cfd17306dd94c3d

SHA256
cd4c5ba291397784ee19475a3f8f425c1cf3f5b4aaed70856809fb9fa9699cda

SHA512
7049dc0bbc9fdc7252d7d2484c4d3b53e31d70808a2c16f9fb8f7c6790f7baa242a80283319b999470455a74b9f45561a6ce7fcf77a229ba3c9a91ef0218166a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5c9f477c1365708c1dac439d0bd9f081

SHA1
accb62a916e7583d2c76507d17568b004e08e8fc

SHA256
29ae280bb1242d4489acf044529ba8585e6766a63ec4a60330b54c480bcc0497

SHA512
d974138c7bd1db193679eddbb8e3e86a6fb34c66070141d651b2cfcd1137e2e8e141a30d6ab3c7b02b23a8e9af6b20e769cd373eaf141a891d9ab40c424f96e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7052edf97ebe5e10bf21733a9a22bd1c

SHA1
9764960932b2f84ed8e17de5fec298ee83f6fd10

SHA256
1f61f41b44490c5f019cfbd23a52c836c4b88fc9b6eb9fdd19d3d8382fcd6994

SHA512
9b210f5886e771c7ef290280a95ba385c136fe43b5a9bc85aca5bb0e106bac40096ae4cbb7e22f8a515f7e8a9f8469338c29f122463fb61f5ec997bd20f28a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
462ed60a2224aca51ccdf6baa7828e0c

SHA1
822199762ef9261b2d586273fae289e5a8cf549f

SHA256
80fc06223103a4ad2ebfd2e4656eec8f3fef3fa2b400765170643b8f44bb8617

SHA512
883e9499de00ebab7574ec5cfa3602e1afc51650c857f0724a685f5720572d2a349eb3b646d95294956f4ef0937fe3e3b5c7bbef7fd2e6465195370d201bb18b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f68c3ae8abe7ab4d25848bb9a1a8db52

SHA1
43b7a8314f43b8482592b0e0ecb6b9b9c746312d

SHA256
9babb39373cdffb7a3ed915bb2d0c52686be9554168ce2bd5436089257a3227f

SHA512
cf8cce67573c308127c91b713b4fb6de599a1872cabe800aa2b970e051a1edce367528a3eda820f88be2685be3b2b23c2f111cde5ffec2ee96e07aadb54c2a07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f55fc771edf4cf02f684aed0ac1e5a42

SHA1
b474af15fafac2e40c69f542b53e54e1a7bde708

SHA256
c614bb9ee69d96bae6ff083d8240eb29699710c9e940f57460e00c3cf38188b6

SHA512
e7fa878ee77a3af779846ad36fad3b3ae01b7a02531e072f21b1ffae41a4aead7232527e302e458d64778e7ae45968fae07cd55bdbf00ee2f6c9c5f11cdb3ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
9f47c1db432c6d52509ed669f4d278d5

SHA1
acc509f2696b4393f66afb19b35f07c164cd3354

SHA256
46c16aec5fa7a6d3b3e58dc4b314504f6f6ae169011693555bb0cfc79f746e19

SHA512
051bbb175be127cfdc40810baad14fa19085d6f8b946a8d09dd53f7de92dbc531a9e950d61cf1842c8a7bfc12c58f703db37e9f74882979a5cfd08b3b0b567d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9d26f99faf14edafd0cc7edc77fa3e18

SHA1
d2ba907402058511960fd3196a4e3a285deb8e94

SHA256
e40629f2951eca0135e3d61309a14ff6b59ad3835fe4cc8176f7227b850d199e

SHA512
7b3c26816d043c58a51face281681a1f7b24c68227ca955622f22d4c9616467d60c9940e5e8e8ed9db76adfff0160b656a1d3065c2bf64a6f22f7de96189e1d9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3ae7ee59b95d2558b4f97d451c67b2b2

SHA1
40f50c63b7948ac2c23904bfb2e9a10c57fb322b

SHA256
46ed995317e4899163903cd27e4065a91c38a3fa0bcc250a176a867d54514c31

SHA512
0b70cc7c1703675321a9a46793978e463dad2d7feaf416db3ff99c280b2a19d708d9f84cb4ec089f0c5eb7e40be597135d645fd9fae6283a36b4d3d4396040f2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f9cc33c2eaa78552f8ff038374235cc3

SHA1
1422a43050f91a5cb9847c537918699970b350d5

SHA256
6c76f4712841dc7e846230419fabd088b31fd30ac00558e2abfdb6ba8a293f08

SHA512
4fb52d9ae58fecb255541d76cad3d1ef2f989a948785584ddcb1988dc7160751b6390476932b3965cf094a4c84ebbbcd9c4a2da080eeb3185317376ce417adc2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5740b398ed8ad2f6e0c231fa0375872e

SHA1
b000c10797d6fa6676526af2207b6fdab669fc23

SHA256
16bd72aa44794533c5a2319ab113014964d75493ec435aef21d0bdd7de99b1f2

SHA512
5c125dc7e93c112aa17732440b1c8e0e2b9b0c05c5ddaa2110978bb2e16680569312f57dfc117024663f732549cf67f52224741665ac94f5ab6a1b75cd8b49ba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1ab87a15b43466dbdf15a0aa69451a6e

SHA1
45c4bfd8f9de6b89a46a823303ebd95593f7bd11

SHA256
011b6c1178a2acc00b7477a98e52e3129fe16454ea8fa410ce0e636cad3859b2

SHA512
dfc2930a0627c0f4c73be1489df42f8964a9c72bbf75fb759668a005b0ba805e434c87a8da6f049b4a991b892903ea52e0500c382c75216628a7c81dba3cc331

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
41152e18d7554852b230a77cfe2564cc

SHA1
fdfd776e0225952da19c21f571f16104a2c24023

SHA256
a60ca33b71147703afb1466f55b4fe534957a981d350260eae229b139a3c42ad

SHA512
84643d1ecaedc174a73e03e89524f5c78c9f0669daaa8f528cc68e5a9807991c97d92c2eaf359803b7b49b4cae287e0292f30bf0252cbf5f64ce417be2d3699c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6a32ca8f5da50cd4be2db579b92bcc7b

SHA1
66bee7ebc965eb9fc63c9bb7df584005cbb03c70

SHA256
db307c4ae8080e28bf85cea75878d482bb86e3a1cd583a6d53313954dd52f27f

SHA512
e276a0d519dab47d30734a4fbbc9746b350bdfd44022940099c62d97aca94a4fc884e9b2f603681aa2158abaa7e871a72fd7f29844810a8922f39764c150d019

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
76bca3dd190f9f55867bd5031dbb80e4

SHA1
9e41d81497e9289fae6ad03f007b659cc4e72df9

SHA256
22dfef889764410f0f60775afc3a830540d5d2b913ba6e8fad29fd3fe8193dc4

SHA512
62c5f3823d051ac9f0dcdba2ce838e170c21daa472a0240d544d1f01dab9acd2cbc11ce33e59bd20a13bb09ebc86356f018c48131d7c92533dc6808c973b5635

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
978455e637a17872de00d7cdc81f2b93

SHA1
413cc14e960691b6e2433a805284863fc398c651

SHA256
4853da76aa961aecb1fb1c0d22c34f7871e7e61110b74eb597339c5d658c92a3

SHA512
6fb41a7d51cc28cf6b9f584b1a0006bf892bf6183a5e8cd70af182208843eed28060288eaf9e58fb2575d0b5f36121f5ad961834e6e67371ea51269d58468c40

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
1d06a3db045f9d52fc6c75533356dc13

SHA1
21045f7e94d4c14a67791cedaffafb5707998f57

SHA256
b6b14702142e7d8cf2f178df7fc3bb61cce32145076e57528f295d65a4668520

SHA512
4024f1a430678563a5a70e06c97e1d0d440558c3db0e59b110e0f7f70a9ee3dde9e7ad5fd4c6da768edcbf648e2a8538e28e5f1c2c88757c38ad62e6929d2151

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
47576f9369452eed2ea9101697040746

SHA1
c30f48269ddfad6dbe13dbf3987842b3375210d4

SHA256
c748869280d244f3eed1ea46fbe88cc38c0656e8ca72d7d9ab99e47d7c043b85

SHA512
ca1d0bb240c2425529dc61a5ee9c2dfe53818d1babdcc47a2b3c532cf35e8589d1325aec8ae8619304c535a709f93382220b78635625d23f8cb227999c509f46

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
17bc73e9bf36f23d063bdd7e4bf89889

SHA1
725544195a19e31a56fb9c23ec8d719802a6bc6b

SHA256
e5e3f90ff9d04a669c4a0e76c03a89583cd0c6f78123209ad8b6c2f18a1fe7ac

SHA512
25217c7ff703cc05c05e5fc096971133e2be2875dbabb993e91398319a2837901099da04050a0a111d01244941e710f951195b669f0f1bc01a330a11cada92b6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a56d89a2004e887dabef0e13455e7905

SHA1
23c6c4281011e74c1e1698185bf6f58058c936ff

SHA256
bb9e2e28e5e33970db70e686c449bc03edb6203a4e8e2fe1728e82a702e3cdb8

SHA512
afae359116e4767c0352a2898be1ba7ba6ecfdcb0e8de070919d6978bf6f77d618aaa09637178df60f71948c9ed8c5d008c841c9bd181bb92bead9a5733ae7ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8ae8cc91a39854c08f9755cf0ce92410

SHA1
7431e50386162bdac169f313fc559438ea45faf7

SHA256
c1f1cc4f794a28835913046fdcca69ebe97effea58fa923c4614c6afab1d5d4e

SHA512
58756dcd1002e37f07e033e6971fb511fb8bb32044d2c25392751f6147d892cb002f4dbafdd2f6a0dca73dae0b75d6294835f1e2b0fe55378487ac35269bbcc8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c3cbf5f880131b89403587f66efb5ee4

SHA1
279c7d8eb20a389c164d5597bf0ca3a6ae7fe727

SHA256
5be8ded85bbff9e20e0bee8ca606a68127185a92c6f287b8fa26216cdecc8a96

SHA512
d4994e00e6e8c18de1187cf4ab26673960acdc89b22ff56df9d52617aa64dc02283cda00215b4658b4b0d7ff9754fe32fa116570b83546eb7e29d738fbac943b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
979b98c889c1ad65d3de241a609c5a26

SHA1
e6319ed32d07863baa3dad51fcaf0fda1b4a4823

SHA256
e6df1a3507cbb123b7631f05b5c281e11012b37b9d302703ee4c876e44032bee

SHA512
d0eea9f318fa9b90ad535c343c4557fc2d0eb995615a7e5ccbe7803cfe84a3750deb1ec51fa34b645aaa9bb8dce4ad8da176a6b908005bfb50a5d8012e4e6a42

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b99903cf3849d2f8f00de64683d8fa42

SHA1
d94a0e624445c9799cd009e2bffd7cd071d4f367

SHA256
2be24ac2195af038000e6798c5ba1ea0c49e474f886491feb908ea9edaf13abf

SHA512
59bdf2b2148da6ed17f2e927596b59f60372df03088c8c5d2e86dbd183986837dc509f7c90c090842508936d7a0ac7bf7c3d8cf999f8efb98b786e3101524f90

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d67aa78a704c86288617add20a838f56

SHA1
105826d26bdddabe3d3b66803c15ba735d03aba5

SHA256
1bc4f682cf3d009f7372b1dc92b2a75ffe38be910a99eae7d79b0a9845f8f4ef

SHA512
cba9c90d36241ff6d2e85bef24e4b73d4f26d89ad50d1fb2cf0444d5b42730de8e82dce871ef5d748c69a3a8421ed33e16673c072a3570cc39003274b7fc2ec7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2550828d25d0dcf2c8cf02b42b45b8d0

SHA1
3649dde116342165ebc8015e9af35ddc9b1d1103

SHA256
b04eacd08a668c5e5c439995aedf5dcfa6cf0d8d199168877953e175262363b2

SHA512
707ac4035f43b8be217f50b17f31e983523b6cd507f45a72f09b72fe13962b211f653159b9840546a6f07bebad5bb734bbe53794fbc54e59923aa6871a8f6ff7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
c0a8f97fec60d994f44cfb9dc30a6a03

SHA1
df5aebd7c134ebbf57e1e39601ff2ab39c08a1b5

SHA256
efd4a079bf51aef9a4602926ef6bbd27cd20fa43126503c8f2fb6db2d47601df

SHA512
9d51ccdef41b7c5b4be73b4360e05e9ff177544d8e003877dd0c59ab052f9e7896199668d935207382050f9c1fdf4f7bb4249608b0f0e262a906d2c7d78ece0f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5e0a484e711d6f2675fc7e0c9d35703a

SHA1
161682213a43706f08d85c5b65688f57a3aec32b

SHA256
7338565e980bee2974bbd43b2f12a6be7d6124a124ea05fe7e68ea77bac35048

SHA512
4dcbd6df85de6b36d0c79a37cb8e8fe49716fa5e56e526c3fa3a5152ccc53130bd1c196c3716742ba9ae53fe1b7a77f2019473bcdff1dc1ff8016f417e0a1506

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bf9a54e934edf9f5faf45bc86fd16838

SHA1
364f2f1671ca201603f69ab9d338b6afa49543f1

SHA256
1f07df5c85a7fb82362abfc841e08caf450c5d1c62e15856212e8b81d175f8c5

SHA512
b3d533c38cc3c06faa6dc5835472bc9304cd81c29935c8fe3e55e441396b10fecc66c7d854f6d68ee44b25bb9f683f105e8a0cdc60a38ea96a512428d845cbe8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
caafdfd99cc04122e08dbd4a5290fa33

SHA1
3d9967f4a202783bbb87bbee5f88f24a50cd3b41

SHA256
216a5b6ccad9e54f0920cd32afda7bfc94fae27d6904e2818578ed9a47f79e09

SHA512
9a2f26d0e50e36260cf7327cf773e2873383d7235d27930bfaa0a755d818121c131fe7277f055fa7a4686235aa51a032223170fd03a69735c2b82f8065319909

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
cf42c74045556ab4b569f9c91d46960a

SHA1
b3df58fdf12404265f5a30667ee8ed941671fddc

SHA256
c86ff851b9fcab65ab732755ac95cacef2e6d513e5a043b2eff45334b1d91e89

SHA512
bcd1e959f5a913f2e2edf1841ce007b96ebc0f58c41792c73513178769cc65c92a277babb6b243a43d29d8878caed4dcf6375bcfd5f6ce5b3bf886f3437cdb3b

Download Submit
memory/708-274-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/936-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-87-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1560-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1560-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1560-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1772-272-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1960-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2860-266-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3412-1-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/3412-6-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/3412-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3412-265-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3444-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3444-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3444-550-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3444-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3552-84-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3552-82-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3552-77-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3552-80-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3552-71-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3640-90-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3640-100-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3724-267-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3888-273-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3944-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3944-555-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3944-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3944-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3948-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3948-558-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4020-269-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4076-268-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4116-276-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4520-279-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4520-557-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4880-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4880-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4916-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4916-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4916-18-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4916-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4916-498-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4924-556-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4924-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5068-549-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5068-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download